From d0c271ac41a79d6bd118f127613e10fb96151db6 Mon Sep 17 00:00:00 2001
From: Thomas NOEL <tnoel@entrouvert.com>
Date: Tue, 4 Apr 2023 10:57:13 +0200
Subject: [PATCH] phonecalls: remove X-Frame-Options on newtab (#76162)

---
 passerelle/apps/phonecalls/models.py | 3 ++-
 tests/test_phonecalls.py             | 1 +
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/passerelle/apps/phonecalls/models.py b/passerelle/apps/phonecalls/models.py
index 471add6e..4f87de90 100644
--- a/passerelle/apps/phonecalls/models.py
+++ b/passerelle/apps/phonecalls/models.py
@@ -72,7 +72,8 @@ class PhoneCalls(BaseResource):
 
         # open agent's portal in a new tab
         if newtab and redirect_url:
-            return render(request, 'phonecalls/start_call_newtab.html', {'redirect_url': redirect_url})
+            response = render(request, 'phonecalls/start_call_newtab.html', {'redirect_url': redirect_url})
+            response.xframe_options_exempt = True
         return response
 
     @endpoint(
diff --git a/tests/test_phonecalls.py b/tests/test_phonecalls.py
index e6bc1231..02bf7d78 100644
--- a/tests/test_phonecalls.py
+++ b/tests/test_phonecalls.py
@@ -193,6 +193,7 @@ def test_phonecalls_start_newtab(app, phonecalls):
         params={'apikey': '123', 'callee': '42', 'caller': '0612345678', 'newtab': '1'},
     )
     assert resp.content_type == 'text/html'
+    assert 'X-Frame-Options' not in resp.headers
     assert 'window.open("https://portail\\u002Dagent.publik/?callee\\u003D42")' in resp.text
     assert Call.objects.filter(callee='42', caller='0612345678').count() == 1